Many
individuals use mobile apps to monitor their health, learn about specific
medical conditions, and help them achieve personal fitness goals. Apps
in the “wellness” space include those that support diet and exercise
programs; pregnancy trackers; behavioral and mental health coaches; symptom
checkers that can link users to local health services; sleep and relaxation
aids; and personal disease or chronic condition managers.

After
studying 43 popular health and fitness apps (both free and paid) from both a
consumer and technical perspective, it is clear that there are considerable
privacy risks for users – and that the privacy policies for those apps that
have policies do not describe those risks. However, these apps appeal to a
wide range of consumers because they can be beneficial, convenient, and are
often free to use.

Consumers
should not assume any of their data is private in the mobile app
environment—even health data that they consider sensitive. Users must weigh the benefits of the service with
the realistic possibility that they are revealing information about their
health not only to the app developer or publisher but also to third parties.

Of the
free apps we reviewed, just under half (43%) provided a link to a website
privacy policy. Of the sites that posted a privacy policy, only about half
were accurate in describing the app's technical processes.

We
performed a technical risk assessment to determine what data the apps
collected, stored, and transmitted over the network. In other words, we
“looked under the hood” to view the actual flow of personal information back
to the app developer and to third parties.

Our
findings:

Many
apps send data in the clear – unencrypted -- without user knowledge.

Many
apps connect to several third-party sites without user knowledge.

Unencrypted
connections potentially expose sensitive and embarrassing data to
everyone on a network.

Nearly
three-fourths, or 72%, of the apps we assessed presented medium (32%) to
high (40%) risk regarding personal privacy.

The
apps which presented the lowest privacy risk to users were paid
apps. This is primarily due to the fact that they don't rely
solely on advertising to make money, which means the data is less likely
to be available to other parties.

Our tips
for consumers:

Research
the app before you download it.

Consider
using paid apps over free apps if they offer better privacy protections.

Make
your own assessment of the app's intrusiveness based on the personal
information it asks for in order to use the app.

Assume
any information you provide to an app may be distributed to the
developer, third-party sites the developer uses for functionality, and
unidentified third-party marketers and advertisers.

Try
to limit the personal information you provide, and exercise caution when
you share it. If the app allows it, try the features first without
entering personal information.

Ask
a tech savvy friend to help you determine what information an app is
asking for, help you navigate settings, and potentially help you
restrict the information an app gathers.

If
you stop using an app, delete it. If you have the option, also
delete your personal profile and any data archive you've created while
using the app.

We
encourage mobile app developers to create products with privacy in mind and
implement responsible information privacy and security practices. Most consumers lack the tools and knowledge to
analyze data flows and security, so they have no way of knowing what is
happening behind the scenes. Even if privacy and security practices are
accurately detailed in a privacy policy, the average user has no way to
decipher them.